Unless you have spent the last 12 months living under a rock (and perhaps even if you have), you will note that this year’s buzz-word is ‘Cloud’. You can’t move for IAAS-ification, SAAS-ification and all manner of slideware with pictures of little fluffy clouds. ‘Cloud Computing for Dummies’ has either been done or will be done shortly, coming to an InfoSec near you soon.

What has struck me, having spent time recently sat in vendor presentations, is the fact that we are all pretty much saying the same things, i.e. we are not quite sure where this is all going, and we are all aware there is quite of a lot of marketing hype. So I thought this post should contain the definitive dead simple pitch on Cloud:

1. It’s all about the transaction cost. If you can reduce the cost of doing business per transaction by doing Cloud, then do it

2. Similarly, since you don’t know where your data is going to end up, if you NEED to know where your data is going, don’t do it. No need to be explaining to the papers why UK sensitive data is now subject to the Patriot Act eh?

3. It doesn’t matter how cute the technology is or how big the vaunted savings that the outsourcer puts in front of you, you can’t outsource risk. If the Cloud provider screws up and loses your data, IT’S STILL YOUR FAULT. If you don’t believe me, drop this nice chap a line: www.stewartroom.com and tell him I sent you. He will explain this bit of the law to you, and like me, it will make you nervous. You cannot outsource risk. Have I mentioned that?

4. And assuming you get a watertight contract and are comfy with where the data ends up, it’s still all about the endpoint. Since you will be serving up your data via a browser to your users, they will try and access it from a PC, laptop, i-Phone or even their Wii browser. They will lose their laptop, have their mobile device stolen and they will copy stuff onto a USB stick. This USB stick will be ‘mislaid at a nightclub’* and you will have to tell the ICO. So get your AV/anti-malware right. Deploy Device Control and DLP. It’s all very well having groovy Cloud-based facilities but if you are still leaking like a sieve it’s the same problem with the same outcome.

This Cloud malarkey is worth doing where you can replicate simple transactional business over and over again. But it needs scrutiny of the highest order and if anything, a focus on the endpoint that is even more disciplined than before.